Receiving 2108's and 1084's on DC...
-
Tuesday, April 10, 2012 3:46 PM
Hi-
We just noticed these errors on our Main - Primary AD-GC/DC machine. I think they have been reporting for sometime - at least the last two days.
We do not have low disk space.
We have no errors on our drives - chkdsk ran.
Our roles are still seized by the same Primary DC.
Issues w/ DNS - restarted DNS and FRS.
However - we did perform a failover test a few weeks ago.
We shutdown "this" Primary DC in order to test if other DC's would take over.
Also - this DC seized roles of another DC that might have had a corrupted DB - could the old DC replicate corrupted DB entries/items?
Herre are the details... trying to follow steps and go thru now...
###############################################
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1084
Date: 4/10/2012
Time: 10:09:30 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: MDNFILE
Description:
Internal event: Active Directory could not update the following object with changes received from the following source domain controller. This is because an error occurred during the application of the changes to Active Directory on the domain controller.
Object:
DC=Domain,DC=local
Object GUID:
35b883e2-ab72-463d-9432-f9c2c21fa04e
Source domain controller:
f241211b-d558-4227-9f7c-68e299c2310b._msdcs.domain.local
Synchronization of the local domain controller with the source domain controller is blocked until this update problem is corrected.
This operation will be tried again at the next scheduled replication.
User Action
Restart the local domain controller if this condition appears to be related to low system resources (for example, low physical or virtual memory).
Additional Data
Error value:
1127 While accessing the hard disk, a disk operation failed even after retries.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
################################################################
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 2108
Date: 4/10/2012
Time: 10:19:12 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: MDNFILE
Description:
This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made.
Object:
DC=Domain,DC=local
Object GUID:
35b883e2-ab72-463d-9432-f9c2c21fa04e
Source domain controller:
46e22a82-7b27-412c-adad-63270d89bc54._msdcs.domain.local
User Action
Please consult KB article 837932, http://support.microsoft.com/?id=837932. A subset of its repair procedures are listed here.
1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.
3. The problem may be related to the object's parent on this domain controller. On the source domain controller, move the object to have a different parent.
4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface. If the error is occurring in an application partition, you can stop the application partition from being hosted on this replica. This may be changed using the ntdsutil.exe command.
5. Obtain the most recent ntdsutil.exe by installing the latest service pack for your operating system. Prior to booting into Directory Services Restore Mode (DSRM), verify that the DSRM password is known. Otherwise reset it prior to restarting the system.
6. In DSRM, run the NT CMD prompt, run "ntdsutil files integrity". If corruption is found and other replicas exist, then demote replica and check your hardware. If no replicas are present, restore a system state backup and repeat this verification.
7. Perform an offline defragmentation using the "ntdsutil files compact" function.
8. The "ntdsutil semantic database analysis" should also be performed. If errors are found, they may be corrected using the "go fixup" function. Note that this should not be confused with the database maintenance function called "ESE repair", which should not be used, since it causes data loss for Active Directory Databases.
If none of these actions succeed and the replication error continues, you should demote this domain controller and promote it again.
Additional Data
Primary Error value:
1127 While accessing the hard disk, a disk operation failed even after retries.
Secondary Error value:
-510 JET_errLogWriteFail, Failure writing to log file
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
##############################################################
Event Type: Information
Event Source: NtFrs
Event Category: None
Event ID: 13516
Date: 4/10/2012
Time: 9:54:55 AM
User: N/A
Computer: MDNFILE
Description:
The File Replication Service is no longer preventing the computer MDNFILE from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
Type "net share" to check for the SYSVOL share.
###############################################Ran repladmin - this appears to be Ok...
C:\>repadmin /showrepl
repadmin running command /showrepl against server localhost
Default-First-Site\MDNFILE
DC Options: IS_GC
Site Options: (none)
DC object GUID: 99873373-3555-4dbb-922f-deda571b71a8
DC invocationID: 8377a19c-2a1b-45fe-a8e3-1eeae7de71fe
==== INBOUND NEIGHBORS ======================================
DC=domain,DC=local
Default-First-Site\AUXMIL1 via RPC
DC object GUID: 46e22a82-7b27-412c-adad-63270d89bc54
Last attempt @ 2012-04-05 18:26:18 was successful.
Default-First-Site\CDRDC via RPC
DC object GUID: 99c28df2-382c-4789-9021-664fc9f89e43
Last attempt @ 2012-04-05 18:26:18 was successful.
Default-First-Site\MDNDC via RPC
DC object GUID: f241211b-d558-4227-9f7c-68e299c2310b
Last attempt @ 2012-04-05 18:26:21 was successful.
CN=Configuration,DC=domain,DC=local
Default-First-Site\AUXMIL1 via RPC
DC object GUID: 46e22a82-7b27-412c-adad-63270d89bc54
Last attempt @ 2012-04-05 17:50:05 was successful.
Default-First-Site\CDRDC via RPC
DC object GUID: 99c28df2-382c-4789-9021-664fc9f89e43
Last attempt @ 2012-04-05 17:50:05 was successful.
Default-First-Site\MDNDC via RPC
DC object GUID: f241211b-d558-4227-9f7c-68e299c2310b
Last attempt @ 2012-04-05 18:20:05 was successful.
CN=Schema,CN=Configuration,DC=domain,DC=local
Default-First-Site\CDRDC via RPC
DC object GUID: 99c28df2-382c-4789-9021-664fc9f89e43
Last attempt @ 2012-04-05 17:50:05 was successful.
Default-First-Site\AUXMIL1 via RPC
DC object GUID: 46e22a82-7b27-412c-adad-63270d89bc54
Last attempt @ 2012-04-05 17:50:05 was successful.
Default-First-Site\MDNDC via RPC
DC object GUID: f241211b-d558-4227-9f7c-68e299c2310b
Last attempt @ 2012-04-05 18:20:05 was successful.
DC=DomainDnsZones,DC=domain,DC=local
Default-First-Site\CDRDC via RPC
DC object GUID: 99c28df2-382c-4789-9021-664fc9f89e43
Last attempt @ 2012-04-05 17:50:06 was successful.
Default-First-Site\AUXMIL1 via RPC
DC object GUID: 46e22a82-7b27-412c-adad-63270d89bc54
Last attempt @ 2012-04-05 17:50:06 was successful.
Default-First-Site\MDNDC via RPC
DC object GUID: f241211b-d558-4227-9f7c-68e299c2310b
Last attempt @ 2012-04-05 18:20:05 was successful.
DC=ForestDnsZones,DC=domain,DC=local
Default-First-Site\CDRDC via RPC
DC object GUID: 99c28df2-382c-4789-9021-664fc9f89e43
Last attempt @ 2012-04-05 17:50:06 was successful.
Default-First-Site\AUXMIL1 via RPC
DC object GUID: 46e22a82-7b27-412c-adad-63270d89bc54
Last attempt @ 2012-04-05 17:50:06 was successful.
Default-First-Site\MDNDC via RPC
DC object GUID: f241211b-d558-4227-9f7c-68e299c2310b
Last attempt @ 2012-04-05 18:20:05 was successful.###################################################
DCDiag /q - shows lots of these errors...
An Error Event occured. EventID: 0xC000043C
Time Generated: 04/10/2012 10:40:21
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC025083C
Time Generated: 04/10/2012 10:40:21
(Event String could not be retrieved)
......................... MDNFILE failed test kccevent##################################
Netdiag /q - passed all tests - except this one:
Global results:
[WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined.
#################################################
Any other ideas as to find out what could be wrong?
Thanks or any help.
-P
All Replies
-
Tuesday, April 10, 2012 4:04 PM
DCDIAG and Replication looks fine, I think the the issue with AD database, you need to verify the database integrity.
Read the below thread :
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/62394928-2c05-4589-aea4-dae472948005
http://social.technet.microsoft.com/Forums/en-AU/winserverDS/thread/de741ce2-1449-42b5-9a8b-c111f0b0ec00
Basically ntdsutil "sem d a" "go f" and an offline defrag of the AD db did the trick.
If offline defrag fail you need to repair AD database.However before you proceed take the backup of the server.If repair fail then demote/promote is the last option.
To repair AD database
C:\windows\system32>esentutl /P "database path"
Hope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.- Marked As Answer by Pickle Tuesday, April 10, 2012 7:49 PM
-
Tuesday, April 10, 2012 4:19 PM
Hello,
I would agree with Sandesh.
How to complete a semantic database analysis for the Active Directory database by using Ntdsutil.exe: http://support.microsoft.com/kb/315136
If you still have at least a healthy DC with GC then you can proceed like that:
- Re-install the faulty DC
- Resize FSMO roles on another DC: http://support.microsoft.com/kb/255504
- Perform a metadata cleanup: http://technet.microsoft.com/en-us/library/cc736378%28v=ws.10%29.aspx
- Promote again the re-installed server and make it a DC / DNS / GC server. Once done, transfer FSMO roles back to it
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer- Edited by Mr XMVP Tuesday, April 10, 2012 4:22 PM
-
Tuesday, April 10, 2012 4:20 PM
Hello,
please see http://support.microsoft.com/kb/837932 how to handle this.
Also see previous discussion http://social.technet.microsoft.com/Forums/en/winserverDS/thread/62394928-2c05-4589-aea4-dae472948005
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Tuesday, April 10, 2012 4:48 PM
Hi Sandesh, Mr X & Meinolf-
Thanks for quick reply.
This machine is a file/print server as well.
Do you think the AD - DC/GC DB is the issue on this server only?
Or - affects all the other AD - DC(member) servers DB's as well?
We do not want to reboot this server into restore mode.
We'd rather promote another DC - seize roles from this machine and fix the DB on a server that is "only" a DC - not a file/print server.
Hope this makes sense. What do you think?
Thx.
-P
-
Tuesday, April 10, 2012 5:13 PM
Hello,
it may occur if that is the only DC that promotion of a new one fails as it must connect to the database to replicate. If you have another DC/DNS server use ONLY that one the server NIC as preferred that should be promoted to DC also.
Do NOT seize FSMO roles except the server is crashed complete. Transfer them to another DC and if that is not possible demote the problem DC with /forceremoval, NOW seize FSMO roles on another DC, run metadata cleanup and after all this is replicated to all other DCs you can promote it again.
So move the file/print server role to another domain member server with FSMT http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=10268 and migrate printers with http://technet.microsoft.com/en-us/library/cc722360.aspx or http://technet.microsoft.com/en-us/library/cc722360.aspx
File/Print services should NOT run on a DC for performance reasons and also you are now limited with immediate reactions. A DC should be used for AD/DNS/GC and that's it. Other server roles have to run on domain MEMBER servers instead.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Tuesday, April 10, 2012 5:34 PM
Hi Meinolf-
Thanks for the quick details.
Yes - we may have an issue w/ DNS if we demote or promote another DC.
Although we have a backup DNS server - another DC(DNS/DHCP) that is a GC and all workstations/clients have it listed as the secondary DNS server.
Ok - I understand this part:
"Do NOT seize FSMO roles except the server is crashed complete. Transfer them to another DC and if that is not possible demote the problem DC with /forceremoval, NOW seize FSMO roles on another DC, run metadata cleanup and after all this is replicated to all other DCs you can promote it again."
We do "not" want to move the File/Print server data or printers but understand the "role" can be changed.
Can any of these steps be executed in a live environment?
We'd do "not" want to affect the users - if possible.
Can we perform the FSMT during production?
We want to transfer the roles to another DC that is a GC already in our site.
Yes - we understand that a file/print server should not have AD/DC installed on it - makes sense.
-P
-
Tuesday, April 10, 2012 5:41 PM
Hello,
either you like to fix the DC or keep an up and running file/print machine? So move the file/print with the required downtimes and then fix the DC. FSMT and also Printmigration requires some downtime, during the copy process so do it on COB or at weekends. If possible test it in a lab before to get familiar with the steps.
Transferring FSMO roles is no problem and without user effect or reboot.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Tuesday, April 10, 2012 5:57 PM
Hi Meinolf-
We'd like to keep the file/print server up and running - change it to a member server only.
And transfer roles to another DC/GC - that is running "only" AD - Directory Services.
Ok - if roles do "not" transfer - we have to fix the Primary DC/GC(file/print server).
Schedule maintenance & boot into Restore mode.
And if so - can we run FSMT - transfer print services at this time? ( While we are fixing DB)
Thx.
-P
-
Tuesday, April 10, 2012 6:03 PM
Hello,
do maintenance tasks one by one and never together. Even this may take more time you are safen and have not to fix multiple problems that may occur, stick to one.
Keep in mind that administation has to be done without hurry, even if the boss is in your back, if it fails you have more trouble then using some more time for doing it correct and keep the system alive.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Tuesday, April 10, 2012 6:29 PM
Hello,
transferring FSMO roles is the easiest step you can do and see immediately the result, http://support.microsoft.com/kb/324801 so i would start with that one, then migrate the printers and then the files. But it depends on you how you handle it, just make sure to control each step.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
- Marked As Answer by Pickle Tuesday, April 10, 2012 7:50 PM
-
Tuesday, April 10, 2012 9:14 PM
Ok - we tried transferring the Schema Master role and it failed - Could nto assign the new Dc operations master.
Can we try to assign the other AD-DC/GC roles....?
Oor do we need to go into Restore mode now and run ntdsutil and try to fix DB next?
-
Tuesday, April 10, 2012 9:37 PM
Hello,
of course you can use another DC when trying to transfer the FSMO roles.
To check the AD database the FSMO roles are not a problem. Even the domain will work without the FSMO roles for some time.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Tuesday, April 10, 2012 9:43 PMThanks - we are going to go into restore mode now. Could not transfer even from another DC...
.png)
